[Bug middle-end/78245] New: missing -Wformat-length on an overflow of a dynamically allocated buffer

msebor at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Mon Nov 7 23:30:00 GMT 2016


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78245

            Bug ID: 78245
           Summary: missing -Wformat-length on an overflow of a
                    dynamically allocated buffer
           Product: gcc
           Version: 7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

The -Wformat-length warning points out instances of buffer overflow involving
either statically or automatically allocated buffers but fails to do the same
for dynamically allocated ones, greatly diminishing the usefulness of the
checker.  The test case below demonstrates the problem.


$ cat b.c && /build/gcc-git/gcc/xgcc -B /build/gcc-git/gcc -O2 -S -Wall b.c
char a[2];
char *p;

void f_auto (void)
{
  __builtin_sprintf (a, "%i", 123);  // warning
}

void f_static (void)
{
  char b[2];
  __builtin_sprintf (b, "%i", 123);   // warning

  extern void sink (void*);
  sink (b);
}

void g (void)
{
  p = __builtin_malloc (2);
  __builtin_sprintf (p, "%i", 123);   // no warning
}

b.c: In function ‘f_auto’:
b.c:6:26: warning: ‘%i’ directive writing 3 bytes into a region of size 2
[-Wformat-length=]
   __builtin_sprintf (a, "%i", 123);  // warning
                          ^~
b.c:6:3: note: format output 4 bytes into a destination of size 2
   __builtin_sprintf (a, "%i", 123);  // warning
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
b.c: In function ‘f_static’:
b.c:12:26: warning: ‘%i’ directive writing 3 bytes into a region of size 2
[-Wformat-length=]
   __builtin_sprintf (b, "%i", 123);   // warning
                          ^~
b.c:12:3: note: format output 4 bytes into a destination of size 2
   __builtin_sprintf (b, "%i", 123);   // warning
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the Gcc-bugs mailing list